<table class="table table-bordered">
    <thead>
        <tr>
            <th class="text-left" style="width: 20%">Key</th>
            <th class="text-left" style="width: 15%">Default</th>
            <th class="text-left" style="width: 10%">Type</th>
            <th class="text-left" style="width: 55%">Description</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td><h5>security.context.factory.classes</h5></td>
            <td style="word-wrap: break-word;">"org.apache.flink.runtime.security.contexts.HadoopSecurityContextFactory";<wbr>"org.apache.flink.runtime.security.contexts.NoOpSecurityContextFactory"</td>
            <td>List&lt;String&gt;</td>
            <td>List of factories that should be used to instantiate a security context. If multiple are configured, Flink will use the first compatible factory. You should have a NoOpSecurityContextFactory in this list as a fallback.</td>
        </tr>
        <tr>
            <td><h5>security.kerberos.krb5-conf.path</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>Specify the local location of the krb5.conf file. If defined, this conf would be mounted on the JobManager and TaskManager containers/pods for Kubernetes, Yarn and Mesos. Note: The KDC defined needs to be visible from inside the containers.</td>
        </tr>
        <tr>
            <td><h5>security.kerberos.login.contexts</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>A comma-separated list of login contexts to provide the Kerberos credentials to (for example, `Client,KafkaClient` to use the credentials for ZooKeeper authentication and for Kafka authentication)</td>
        </tr>
        <tr>
            <td><h5>security.kerberos.login.keytab</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>Absolute path to a Kerberos keytab file that contains the user credentials.</td>
        </tr>
        <tr>
            <td><h5>security.kerberos.login.principal</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>Kerberos principal name associated with the keytab.</td>
        </tr>
        <tr>
            <td><h5>security.kerberos.login.use-ticket-cache</h5></td>
            <td style="word-wrap: break-word;">true</td>
            <td>Boolean</td>
            <td>Indicates whether to read from your Kerberos ticket cache.</td>
        </tr>
        <tr>
            <td><h5>security.module.factory.classes</h5></td>
            <td style="word-wrap: break-word;">"org.apache.flink.runtime.security.modules.HadoopModuleFactory";<wbr>"org.apache.flink.runtime.security.modules.JaasModuleFactory";<wbr>"org.apache.flink.runtime.security.modules.ZookeeperModuleFactory"</td>
            <td>List&lt;String&gt;</td>
            <td>List of factories that should be used to instantiate security modules. All listed modules will be installed. Keep in mind that the configured security context might rely on some modules being present.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.algorithms</h5></td>
            <td style="word-wrap: break-word;">"TLS_RSA_WITH_AES_128_CBC_SHA"</td>
            <td>String</td>
            <td>The comma separated list of standard SSL algorithms to be supported. Read more <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites">here</a></td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.cert.fingerprint</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The sha1 fingerprint of the internal certificate. This further protects the internal communication to present the exact certificate used by Flink.This is necessary where one cannot use private CA(self signed) or there is internal firm wide CA is required</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.close-notify-flush-timeout</h5></td>
            <td style="word-wrap: break-word;">-1</td>
            <td>Integer</td>
            <td>The timeout (in ms) for flushing the `close_notify` that was triggered by closing a channel. If the `close_notify` was not flushed in the given timeout the channel will be closed forcibly. (-1 = use system default)</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.enabled</h5></td>
            <td style="word-wrap: break-word;">false</td>
            <td>Boolean</td>
            <td>Turns on SSL for internal network communication. Optionally, specific components may override this through their own settings (rpc, data transport, REST, etc).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.handshake-timeout</h5></td>
            <td style="word-wrap: break-word;">-1</td>
            <td>Integer</td>
            <td>The timeout (in ms) during SSL handshake. (-1 = use system default)</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.key-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The secret to decrypt the key in the keystore for Flink's internal endpoints (rpc, data transport, blob server).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.keystore</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The Java keystore file with SSL Key and Certificate, to be used Flink's internal endpoints (rpc, data transport, blob server).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.keystore-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The secret to decrypt the keystore file for Flink's for Flink's internal endpoints (rpc, data transport, blob server).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.session-cache-size</h5></td>
            <td style="word-wrap: break-word;">-1</td>
            <td>Integer</td>
            <td>The size of the cache used for storing SSL session objects. According to https://github.com/netty/netty/issues/832, you should always set this to an appropriate number to not run into a bug with stalling IO threads during garbage collection. (-1 = use system default).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.session-timeout</h5></td>
            <td style="word-wrap: break-word;">-1</td>
            <td>Integer</td>
            <td>The timeout (in ms) for the cached SSL session objects. (-1 = use system default)</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.truststore</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The truststore file containing the public CA certificates to verify the peer for Flink's internal endpoints (rpc, data transport, blob server).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.internal.truststore-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The password to decrypt the truststore for Flink's internal endpoints (rpc, data transport, blob server).</td>
        </tr>
        <tr>
            <td><h5>security.ssl.protocol</h5></td>
            <td style="word-wrap: break-word;">"TLSv1.2"</td>
            <td>String</td>
            <td>The SSL protocol version to be supported for the ssl transport. Note that it doesn’t support comma separated list.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.provider</h5></td>
            <td style="word-wrap: break-word;">"JDK"</td>
            <td>String</td>
            <td>The SSL engine provider to use for the ssl transport:<ul><li><span markdown="span">`JDK`</span>: default Java-based SSL engine</li><li><span markdown="span">`OPENSSL`</span>: openSSL-based SSL engine using system libraries</li></ul><span markdown="span">`OPENSSL`</span> is based on <a href="http://netty.io/wiki/forked-tomcat-native.html#wiki-h2-4">netty-tcnative</a> and comes in two flavours:<ul><li>dynamically linked: This will use your system's openSSL libraries (if compatible) and requires <span markdown="span">`opt/flink-shaded-netty-tcnative-dynamic-*.jar`</span> to be copied to <span markdown="span">`lib/`</span></li><li>statically linked: Due to potential licensing issues with openSSL (see <a href="https://issues.apache.org/jira/browse/LEGAL-393">LEGAL-393</a>), we cannot ship pre-built libraries. However, you can build the required library yourself and put it into <span markdown="span">`lib/`</span>:<br /><span markdown="span">`git clone https://github.com/apache/flink-shaded.git &amp;&amp; cd flink-shaded &amp;&amp; mvn clean package -Pinclude-netty-tcnative-static -pl flink-shaded-netty-tcnative-static`</span></li></ul></td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.authentication-enabled</h5></td>
            <td style="word-wrap: break-word;">false</td>
            <td>Boolean</td>
            <td>Turns on mutual SSL authentication for external communication via the REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.cert.fingerprint</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The sha1 fingerprint of the rest certificate. This further protects the rest REST endpoints to present certificate which is only used by proxy serverThis is necessary where once uses public CA or internal firm wide CA</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.enabled</h5></td>
            <td style="word-wrap: break-word;">false</td>
            <td>Boolean</td>
            <td>Turns on SSL for external communication via the REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.key-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The secret to decrypt the key in the keystore for Flink's external REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.keystore</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The Java keystore file with SSL Key and Certificate, to be used Flink's external REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.keystore-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The secret to decrypt the keystore file for Flink's for Flink's external REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.truststore</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The truststore file containing the public CA certificates to verify the peer for Flink's external REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.rest.truststore-password</h5></td>
            <td style="word-wrap: break-word;">(none)</td>
            <td>String</td>
            <td>The password to decrypt the truststore for Flink's external REST endpoints.</td>
        </tr>
        <tr>
            <td><h5>security.ssl.verify-hostname</h5></td>
            <td style="word-wrap: break-word;">true</td>
            <td>Boolean</td>
            <td>Flag to enable peer’s hostname verification during ssl handshake.</td>
        </tr>
        <tr>
            <td><h5>zookeeper.sasl.disable</h5></td>
            <td style="word-wrap: break-word;">false</td>
            <td>Boolean</td>
            <td></td>
        </tr>
        <tr>
            <td><h5>zookeeper.sasl.login-context-name</h5></td>
            <td style="word-wrap: break-word;">"Client"</td>
            <td>String</td>
            <td></td>
        </tr>
        <tr>
            <td><h5>zookeeper.sasl.service-name</h5></td>
            <td style="word-wrap: break-word;">"zookeeper"</td>
            <td>String</td>
            <td></td>
        </tr>
    </tbody>
</table>
